SmartThings Support

ZigBee "Insecure Rejoin" FAQ

The SmartThings Hubs allows users to mitigate potential misuse of the ZigBee Home Automation feature known as "insecure rejoin" (or sometimes “unsecure rejoin”). Disabling insecure rejoin is optional, and there are advantages and disadvantages to both enabling and disabling this feature. Whether you opt to manually disable insecure rejoin entirely depends on your convenience and security preferences.

Can I get more information about ZigBee and "insecure rejoin"?

Your SmartThings Hub has several radio transmitters inside which allow it to be the universal translator between many different devices that all “speak” different languages. SmartThings doesn’t create these languages, rather we implement industry standards in order to ensure an open ecosystem, easy operation, and a high level of security. One of those radios and languages is called ZigBee Home Automation.

The current ZigBee Home Automation 1.2 standard uses encryption to allow only authorized devices to join a home network. In order to allow some devices (like motion sensors) to drop off of, and then easily re-join the network (to preserve battery power), there is a feature known as “insecure rejoin” built into the standard. It has been shown, however, that in very specific cases this feature could potentially be used to gain unauthorized access to a ZigBee network. The upcoming ZigBee 3.0 specification removes this potential vulnerability, but until that new standard is released, SmartThings is giving users the ability to disable the insecure rejoin feature.

For a more technical and detailed explanation, read this post we made on the SmartThings Developer Community forum.

Here are some additional facts:

A known issue, not specific to SmartThings: This is a known issue with the ZigBee Home Automation standard used by many companies across the industry and is not specific to SmartThings.

We alerted our community: SmartThings has been aware of the potential misuse use of ZigBee’s insecure rejoin feature since December 2015. We alerted our community immediately when this was discovered and worked to deliver this firmware update as soon as possible.

We’re actively participating in improving standards: As a member of the Board of the ZigBee Alliance, Z-Wave Alliance, and Thread Group, SmartThings is working across the industry to ensure that security is a primary focus on new standards development for the connected home.

What are the pros and cons of disabling ZigBee’s insecure rejoin feature?

Cons: ZigBee devices may “drop off” your network and become unresponsive. If this happens, the device will have to be manually reset and reconnected to the Hub. (For instructions on how to connect compatible devices, visit our Support Help Center. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device. See also "I think my device dropped off my ZigBee network..." below for more information.)

How do I disable insecure rejoin?

In the SmartThings app, insecure rejoin is enabled by default. To view and edit insecure rejoin:

Tap the menu (Android) / More (iOS)

Tap the Hub

Tap ZigBee Utilities

Toggle the switch for Insecure Rejoin to the OFF state

Tap Ok to confirm

In the Samsung Connect app, the insecure rejoin is disabled by default through the Secure Mode setting. To view and edit the Secure Mode status:

Tap My Devices

Select your SmartThings Hub

Toggle Secure Mode to your desired setting

Secure Mode ON = ZigBee insecure rejoin disabled (most secure)

Secure Mode OFF = ZigBee insecure rejoin enabled (most compatible)

Note: If you have multiple SmartThings Hubs, you will have to perform the above steps for each Hub to disable insecure rejoin.

Once you have disabled insecure rejoin, you can continue to use your SmartThings Hub as normal. Simply keep an eye out for ZigBee devices that may become unresponsive.

You can re-enable insecure rejoin at any time. In the SmartThings app, toggle the Insecure Rejoin switch to the ON state from the ZigBee Utilities menu. In the Samsung Connect app, toggle Secure Mode to the OFF state.

Does this affect all Hubs?

Both first-generation SmartThings Hubs and Samsung SmartThings Hubs (Hub v2) use the ZigBee Home Automation standard and its insecure rejoin feature. Currently, the firmware update that allows users to disable insecure rejoin is only available for Hub v2.

I think my device dropped off my ZigBee network after disabling insecure rejoin—what should I do?

If you believe your ZigBee device failed to rejoin your network and is unresponsive, all you have to do is reconnect it with your Hub. Visit our Support Help Center for information about how to connect compatible devices. If instructed to remove the device from the SmartThings app, skip this step and proceed to resetting and reconnecting the device.

Tip: Put the Hub in join mode by selecting My Home and Add a Thing, and then power cycle the device (by removing and replacing the battery or by unplugging and replacing the device). Though the app may say that no devices were discovered, it’s possible that the device actually rejoined the ZigBee network behind the scenes. Navigate to the Things page and send a command to the device to see whether it is responsive.

Tip: If the above methods do not work, put the Hub in join mode by selecting Add a Thing. While the Hub is searching, perform the device-specific instructions to factory reset the device and then to connect the device.

Again, removing the device from the app before performing these steps is not necessary or recommended.

What else is SmartThings doing to ensure my home security?

Protecting our customers’ privacy and data security is fundamental to everything we do and is something we take seriously. We’re providing this information in response to a number of recent articles about wireless security in the home, to illustrate key facts and to clarify where we stand on specific issues being highlighted.

We also regularly perform penetration tests of our system and work with professional third-party security research firms to look for vulnerabilities in the platform so that we may continue to improve its security. We work hard to stay in front of any issues and be transparent with our customers about our efforts.